The General Data Protection Regulation (EU) 2016/679 (GDPR) is a regulation in EU law on data protection and privacy in the European Union (EU) and the European Economic Area (EEA). It also addresses the transfer of personal data outside the EU and EEA areas. The GDPR aims primarily to give control to individuals over their personal data and to simplify the regulatory environment for international business by unifying the regulation within the EU. Superseding the Data Protection Directive 95/46 / EC, the regulation contains provisions and requirements related to the processing of personal data of individuals (formally called data subjects in the GDPR) who reside in the EEA, and applies to any enterprise — regardless of its location and the data subjects' citizenship or residence — that is processing the personal information of data subjects within the EEA.
SGPD - Preparation, Organization, Development and Implementation, Governance and Evaluation and Improvement. Conduct privacy analysis, Collect privacy laws, Analyze the impact of privacy, Conduct initial data audits and assessments, Establish data governance organization, Establish data flows and personal data inventory, Establish PD & P program, Draft plans implementation of PD & P actions. Maintain data privacy governance program, policies and controls, Assign and maintain responsibilities in PD & P (RACI matrix), Maintain the involvement of senior management in PD & P, Maintain commitment in the organization with PD & P, Maintain regular communications for PD & P issues, Maintain stakeholder involvement in PD & P issues, Implement and operate computerized systems for PD & P. Updated PD & P strategy.Updated PD & P program. Updated data governance controls. DPO appointment announcement. Communications regarding all issues related to PD & P. PD & P. Network Role of PD & P in job descriptions. Training, communication and privacy awareness plan updated. Automated PD & P systems.
Develop and implement PD & P strategies, plans and policies. Implement the approval procedure for processing personal data. Register databases for personal data. Develop and implement an international data transfer system. Perform PD & P integration activities. Run the PD & P training plan. Implement data security controls.
You might ask what an EU law has to do with you, if you and your website is based in the US? The truth is a lot. Does the GDPR affect the US?Yes!
The GDPR has extra-territorial scope, which means that websites outside of the EU that process data of people inside the EU are obligated to comply with the GDPR. So, if you have a website in the US and you have visitors from the EU, the GDPR applies to your domain. Therefore, if that is the case, you need to meet the GDPR requirements and conditions for processing data.